Best thing is to allow by user\group. That way you have complete control over who gets access. (That on top of the fact that you do have to specifically allow something with policy in order to grant access.) -Shawn ----- Shawn R. Quillman Robert Bosch Corporation RBNA/CIT1.1 38000 Hills Tech Drive Farmington Hills, MI 48331 (248) 553-1164 (P) (248) 848-2855 (F) shawn.quillman@xxxxxxxxxxxx -----Original Message----- From: Jill Ray [mailto:jill@xxxxxxxxxxxxxxx] Sent: Friday, January 24, 2003 12:57 PM To: [ISAserver.org Discussion List] Subject: [isalist] access policies-- http://www.ISAserver.org When authenticating by user, it is better to assign policies by 1. denying all first, then allowing by user/group 2. allowing all first, then denying by user/group Is one trickier than the other? Thanks in advance for your help, Jill ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Exchange Server Resource Site: http://www.msexchange.org/ Windows Security Resource Site: http://www.windowsecurity.com/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: shawn.quillman@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')